How to Use Biometrics to Ensure Security: An Interview with Ned Hayes of SureID — Toolbox Interview

How to Use Biometrics to Ensure Security: An Interview with Ned Hayes of SureID

“Biometrics provide multiple modalities and are not so easy to fake, spoof, or duplicate in real-time, they have now taken the pole position in terms of identity proofing.”

The General Manager of SureID, Ned Hayes, weighs in on how the use of biom

etrics technology has evolved over the years, allowing governments and users to create stricter laws around human rights and privacy. From iris scans to voice typing and gait tracking, Ned lets us know about the new methods of biometrics today and the security parameters that relate to them.

As a technologist, identity researcher and author himself, Ned has created awareness on biometrics technology through his books and work. His most recent novel was the national bestseller The Eagle Tree, which was nominated for the Pacific Northwest Booksellers Award. SureID has supported military installations through trusted credentialing, vetting, and screening services to become one of the first approved FBI channelers.

In this interview, Ned identifies the top three industries for biometrics and AI. He answers questions around: How this space has evolved over the years? What outcomes can be drawn from biometrics today? How can startups be more cognizant and democratize the use of biometrics technology? And, how technology leaders can deploy biometrics technology in a responsible way?

Key takeaways from this interview:

Understand the types of biometrics and its uses

Learn more about the global biometrics market

The latest trends to track in this space

Here’s what Ned says about the impact of AI on cybersecurity and biometrics:

The interesting thing about biometrics over time is that fingerprints and other associated biometrics were once seen as just one way of proving identity – they weren’t seen as significantly different or superior in terms of usefulness or security compared to other means of proving identity. Yet the emergence of digital identity has led to numerous hacks of knowledge-based identity – when credentials are only comprised of something you know, these items become highly portable and easily duplicated. It’s all too easy to fake or replicate digitally-based identities.

However, because biometrics provide multiple modalities and are not so easy to fake, spoof, or duplicate in real-time, biometric factors have now taken pole position in terms of identity proofing.

As new methods of collecting ever-more-granular biometric data points emerge, from iris scans to voice typing to gait tracking, it’s been possible to create a gold standard from a holistic set of biometrics. The newer high-fidelity biometrics have raised the bar even further for identity proofing, so that safer environments can be created for consumers, with a minimum of technical buy in or hassle to end-users.

What makes biometrics so compelling is that they are industry agnostic – no one vendor owns the standard – and biometrics potentially tie together different modalities. When combined, multiple biometrics can create a much safer environment for the consumer, and they’re much easier to use than trying to remember multiple passwords.

Which are the top three industries/sectors or use cases demonstrating a real appetite for biometrics and smart artificial intelligence (AI) today and why?

Machine learning and various AI techniques are now being used against a combined PII and biometric data to do very large data set weighing, profiling of individuals, and risk analysis. The combination of AI and biometrics has led to a sea-change in terms of our understanding of activity and behavior. The three industries that look to benefit the most from these radical changes are:

1) Travel and aviation: Airports, airlines, and commercial aviation entities are increasingly looking for better ways to understand who is using their services, and the relative risk of people traveling. This is a huge growth area both for my company and the biometrics we offer, as well as an array of other companies offering cutting edge biometric collection, storage, and analysis services.

2) Financial and banking services: Banking has now become global in every regard, and even average consumers are touched by international banking regulations (such as GDPR). In this much broader financial ecosystem, it is essential that both financial sector employees and consumers of lending and spending services can prove without doubt who they are and validate transactions in real time. Settling a loan or transaction in a matter of weeks is no longer viable. Biometrics, especially when assisted by smarter machine learning, can help accelerate financial processes with a high degree of trust.

3) Retail and transaction-based exchanges: As B2B verticals (such as finance) become more familiar with biometrics to prove identity, it is increasingly evident that retail establishments and daily transactions will begin to rely on biometric authentication as well. I see this as the major groundswell of change coming to the retail sector. It’s not unlikely that you’ll just pay with your face and your thumb at most retail locations in the coming years.

How has smart AI impacted the cyber security space and how can it drive stronger outcomes from biometrics?

Machine learning and other techniques have allowed for new types of hacks and spoofing. One noteworthy example is called “DeepMasterPrint” – this is a set of machine-learning driven exploits developed by an NYU-based research team led by Philip Bontrager. This exploit analyzed thousands of prints and created a machine-learning derived print set that could replicate the authentication provided by potentially millions of prints. This means that many fingerprints used to log into phones and tablets could be hacked by a “fake fingerprint” that replicated many of the points found in millions of real human fingerprints.

Cyber security has been negatively affected by machine learning and smart AI. Yet what’s fascinating as this hack emerged is that it is the only biometric hack that could be potentially used at scale, and it was created in a lab environment, not in the wild. In fact, analysis of the hack demonstrates that absent the tools that serious machine learning experts and 3D printing experts have at hand, it would be very difficult to replicate by bad actors. Not a single phone or person has been hacked by this supposed exploit. Furthermore, professional systems that collect fingerprints for regulatory use already have built-in safeguards that prevent this hack.

In contrast to the facts regarding what amount to academic fingerprint hacks, and the lack of real hacks in the wild, every day seems to bring a new hack of name-based or knowledge-based identity verification systems. Recently, it was revealed that hackers have access to 2.2 billion hacked accounts (all knowledge-based hacks, not a single biometric-secured account among them) and are readily sharing and profiting from this data for nefarious purposes.

The entry of these techniques, combined with the many data points in biometrics, allows for an order of magnitude change in our understanding of the people in our database and the pertinent characteristics that distinguish one person’s unique identity from another.

What steps should smaller organizations or startups take today to remain competitive tomorrow? Do you see biometrics as being a democratized and accessible technology?

Biometrics in terms of consumer awareness and thought leadership have very much arrived. Every child knows that a fingerprint or a face can unlock a phone. Cheap and low-end biometrics sensors, such as those found on smartphones, are very much broadly available.

I’d characterize this change as very similar to the change in knowledge-based authentication. Two decades ago, early consumers used a “password” composed of a word that the user chose – sometimes from a list written on a piece of paper at their desk. Today, security experts – and much of the general public – knows that a “passphrase” is more secure. Most of all, everyone understands the utility of a passphrase that can’t be hacked with a simple dictionary attack. So, most people today salt their passphrases with numbers, characters and upper- and lower-case letters. This is admittedly awkward, and makes remembering passwords difficult to impossible, but it does raise the security bar.

In the same manner, we are rapidly moving from a broadly democratized and accessible form of insecure biometrics into a more highly secured environment. The general public will understand that in order to really rely upon biometrics, you must use multiple biometrics in concert, and use them at high fidelity with multiple inputs. So, instead of just one finger, you would use all your fingers, plus a facial scan or a voice scan. Together, this holistic picture of a biometric “signature” creates much greater security, than a full long passphrase salted with special characters.

Has data stored in the cloud become vulnerable? What should a technology leader balance when it comes to evaluating technology solutions that not only meet speed, agility and functionality requirements but also security, regulatory and compliance requirements?

Most of the companies who have had consumer data stolen have been operating as online-only or transaction-based identity providers for a decade or less. Yet companies whose business has been identity for decades – such as major background screening companies and companies whose business has always been personal data – have rarely been hacked.

Facebook, LinkedIn, and Dropbox have not been in business for decades with identity at the core of their business. Their lack of expertise in storing and managing personal identity data is demonstrated by the hacks they’ve suffered. Yet major background screening and HR companies who have been in the space for half a century, and who work in a regulated industry, have rarely or never had data publicly stolen. This level of depth and expertise in identity management and security protocol shows.

Technology leaders with experience in the space will increasingly be relied upon. Just as you wouldn’t trust your life to an unskilled or unexperienced doctor, why would you trust your company’s data to someone just out of the startup gates?

There are several concerns with surveillance of employees by companies. These new technologies are so advanced that those concerns are escalating. How can technology leaders approach the deployment of such technologies in a responsible manner?

Monitoring or surveilling of employees is a legal action, especially if employees have signed a release acknowledging the surveillance. All too often though, this “legality” is what companies rely upon to make all decisions regarding their employee satisfaction, well-being, and basic data. There are larger moral and ethical questions regarding the right to privacy and autonomy that should be considered. It’s not enough to say that the company has “rights” – it is often more important to consider what rights are being taken away from the employees and to honor an employee’s need for privacy.

To limit the negative impact to employees while still honoring the need of the company for security and trust in the workplace, it is important for companies to consider why such technologies are being deployed, and to justify their use openly and transparently to employees. If an employee is handling sensitive transactions or cash, it is viable to tell the employees that all transactions like this will be monitored. But it crosses a line of ethical company behavior when the company just extends that concern to monitor every motion of the employees in their breakroom or bathroom.

Employees who are properly informed about the existence of biometric monitoring can make decisions based on the degree of monitoring and providing this level of transparency is not only the right thing to do but will also lead to higher employee satisfaction and retention over time.

What skillset and mindset changes are needed for organizations of all sizes to really leverage the benefits of these smart security technologies? To what extent do business users need to understand them?

In terms of smart machine-learning driven security, it is vital for business users to understand that smarter systems can find anomalies in large data sets that cannot be spotted by simple human endeavor. Instead of relying upon our own knowledge of a space, it would be wise for most businesses to record data on ingress/egress and record characteristics of all users and then run algorithms to find patterns in the data that can be explored further.

The mindset change that must happen is that business users need to realize that the system itself can make them smarter about their employees and their company.

In terms of biometrics, there’s a sea change coming in identity, and preparing oneself for this radical change may shift entirely how a company thinks about security, and hiring/firing, retention and access.

Are there any industry specific requirements to keep in mind for AI and biometrics?

Smarter neural network-driven systems have been able to provide better and stronger risk analysis tools to mine large datasets. Marrying together these machine learning techniques (looking at recency, activity patterns, behavioral mapping, and other variables) with biometric-secured systems with multiple modalities can create a highly secure system. Such systems are not only secured with hard-to-duplicate multiple modalities of biometric inputs, but also can be analyzed to demonstrate if a biometric credential has been fraudulently obtained or illicitly used.

Fighting fraud is a necessity globally, especially in enterprise banking and B2B payment portals. What role does or can biometrics play in creating secure payment gateways?

The combination of these so-called “smart AI” systems along with multiple biometrics being used in concert creates a new level of consumer privacy and transactional security.

Companies can profit from this change. To distinguish yourself in a crowded marketplace, it’s important to move your systems rapidly to a high-fidelity biometric-secured system that can capture multiple modalities – such as both facial recognition alongside fingerprints, or iris scan as well as voice. Don’t rely on a single fingerprint on a phone to secure your company’s data.

As I said, most of the companies who have had consumer data stolen have been operating as online-only or transaction-based identity providers only in the last decade. Yet companies whose business has been identity for decades – such as national background screeners and telephone identity operators – have experienced statistically fewer and less intrusive hacks.

In the next five years, how do you see the larger space of cyber security evolving into 2020 and beyond? What are you tracking or excited about?

The advent of high-fidelity biometrics in multiple modalities is really a sea-change for identity proving. Instead of having to remember 40 passwords with all their permutations, and to try to remember your specific username for websites or transactions, future online and in-person retail users will find that they only must show recognizable biometrics to prove their identity. Knowledge-based authentication and password-based verification will eventually be gone from the identity landscape.

Understanding this change will presage a new shift in identity management services on a global scale.

Neha: Thank you, Ned, for explaining how biometrics will evolve with machine learning and smart AI. We hope to talk to you again, soon.

Ned Hayes is the General Manager for SureID, and a Vice President at Sterling. He was educated at Stanford University Graduate School of Business and the Rainier Writing Workshop. He has also studied cyborg identity and robotic ethics at the Graduate Theological Union at UC Berkeley.

Backed by nearly two decades of experience, SureID redesigned the electronic fingerprinting process to create the best possible customer experience. With over 800 collection stations covering all 50 states and DC, we are one of the largest fingerprinting networks in the country, and our state-of-the-art technology provides the simplest interface with best-in-class security